Major shortcomings exist in cyber security readiness for nearly three-quarters (73%) of more than 4,100 organizations in five countries, despite keen awareness of the threat, according to a study commissioned by specialist insurer Hiscox.

Indeed, almost half, or 45 percent, of survey respondents experienced at least one cyber attack in the past year, while two-thirds suffered two or more attacks, said the “Hiscox Cyber Readiness Report 2018,” which surveyed a representative sample of private and public sector organizations in the UK, U.S., Germany, Spain and the Netherlands. (Hiscox published its first cyber readiness report in 2017).

While the costs of cyber crime range up to $25 million, the average cost of all incidents for survey respondents was $229,000. However, the average cost “masks some wide variations,” said the report, explaining that the average costs ranged between $356,000 in Spain and $1.05 million in the U.S. for organizations with 1,000-plus employees.

At the same time, some organizations faced still higher costs – up to $25 million in the U.S. and $20 million in Germany and the UK, the study confirmed. “For the very smallest (those with fewer than 100 employees), average costs ranged between $24,000 in Spain and $63,000 in Germany.”

Financial services, energy, telecoms and government organizations are the prime targets for hackers, while financial services firms are the largest spenders on cyber security, followed by the pharmaceuticals and healthcare sector and then government entities, the survey revealed.

The Hiscox study assessed each organization according to their cyber security strategy and the quality of its execution – and ranked them accordingly. Only 11 percent scored highly enough in both areas to qualify as cyber security “experts,” while one in six firms (16 percent) achieved expert status in either strategy or execution, but not both, the study revealed.

“The survey highlights a widening gulf between those who ‘get’ cyber security, take it seriously, and spend appropriately, and those who still regard the issue as someone else’s problem. Cyber security is not an IT issue but rather a risk for the whole organisation; tackling it is more about people, behavior and culture than clever technology,” said the report.

The report offers a picture of what best practice looks like, which often “is not ‘more technology’ but proactive thinking, more rigorous processes and better trained staff,” said Steve Langan, chief executive of Hiscox Insurance Co., in a prepared statement.

Additional findings in the report include:

Larger organizations are better prepared. One in five, or 21 percent, of larger organizations were ranked by the study as cyber security experts. (Larger organizations are defined as those with 250-plus employees). A further 17 percent pass the expert test in either strategy or execution.

Cyber experts buy more standalone cyber insurance. Three out of five (60 percent) cyber experts say they have cyber cover and a further 31 percent say they plan to take out cover in the coming 12 months. By comparison, one-third of overall survey respondents, or 33 percent, say they have standalone cyber cover while a quarter (25 percent) say they intend to adopt it in the coming year.

Smaller firms lack resources. Organizations with fewer than 250 employees devote a smaller proportion of their IT budgets to cyber security (9.8 percent on average versus 12.2 percent for larger organizations). At the same time, just 7 percent of smaller organizations (250 or fewer employees) make the grade as experts.

You get what you pay for. The average organization surveyed spends $11.2 million a year on IT with 10.5 percent of that budget spent on cyber security. The organizations with the cyber expert designation spent twice as much on IT as those that failed the test, or the so-called novices ($19.8 million on average versus $9.9 million). Cyber experts also devote a higher proportion of their IT budgets to cyber security than the novices (12.6 percent, versus 9.9 percent).

Spending to rise. Nearly three out of five respondents (59 percent) plan to increase their cyber security budgets in the year ahead. The experts lead the way with more than half (55 percent) planning to increase spending on awareness training compared with only 29 percent of organizations that failed the cyber readiness test.

U.S. and UK organizations are the most cyber-ready. One in eight (13 percent) U.S. and UK firms rank as cyber experts. Conversely, the Netherlands was deemed to be the least cyber-ready with only 7 percent of all Dutch organizations ranked as experts.

German firms face costliest incidents. When asked to estimate the cost of their single largest cyber incident, German firms reported the highest average figure, at $5 million, compared to Spanish organizations with the lowest cost per incident at a maximum of $800,000.